AWS outage botnet smacks 28 countries, LLMs help malware authors evade detection, Anthropic pressed over Claude espionage - Cybersecurity Headlines

Cyber Security Headlines: Episode Summary

Podcast: Cyber Security Headlines
Host: Sarah Lane, CISO Series
Date: November 27, 2025
Episode Theme:
A snapshot of the day's key cybersecurity threats and industry news — from emerging botnet attacks and AI-enabled malware, to major supply chain vulnerabilities and regulatory challenges.

Key Discussion Points & Insights

1. AWS Outage Botnet Hits 28 Countries

[00:20 – 01:10]

Overview:
A Mirai-based botnet, Shadow V2, surfaced during a significant AWS outage in October 2025.
How it Worked:
- Exploited vulnerabilities in IoT devices from various vendors.
- Infected devices in 28 countries.
- Spread via a downloader script; functioned similarly to Lizard Mirai variant.
- Enabled DDoS attacks through a command and control server.
Current Status:
- Disappeared after the AWS outage concluded.
- Experts speculate it might have been a ‘test run’ for future attacks.

Quote:
"Fortinet says the botnet infected devices across 28 countries and may have been a test run for future attacks, though it vanished once the outage ended."
— Sarah Lane, [00:32]

2. Malware Authors Use LLMs to Evade Detection

[01:11 – 01:53]

Emerging Threat:
- Google Threat Intelligence Group observed malware leveraging large language models (LLMs) at runtime.
- Example LLMs used: Gemini, Hugging Face.
- Capabilities:
  - Dynamically rewriting code.
  - Generating system-specific commands.
  - Helping discover secrets on compromised hosts.
Implications:
- This approach mirrors early polymorphic malware but could lead to more adaptable future threats.
- Currently, reliance on external AI services leaves detectable footprints.

Quote:
"Researchers warn these techniques resemble early polymorphic malware and could make attacks more adaptive, though they remain detectable today due to their reliance on external AI service calls."
— Sarah Lane, [01:43]

3. Congressional Scrutiny on Anthropic Over AI Espionage

[01:54 – 02:26]

Incident:
- U.S. House Homeland Security Committee summoned Anthropic CEO over suspected Chinese espionage via Claude (Anthropic’s AI).
- At least 30 organizations were targeted.
Significance:
- Lawmakers called the incident a pivotal moment in U.S. cybersecurity, especially regarding AI, quantum computing, and cloud infrastructure risks.
Notable:
- Anthropic praised for its disclosure of the incident.

Quote:
"Lawmakers praised Anthropic for disclosing the attack, but called it a significant inflection point for US cybersecurity."
— Sarah Lane, [02:17]

4. Node Forge Library Signature Vulnerability

[02:27 – 02:55]

Technical Flaw:
- Flaw in the Node Forge JavaScript cryptography library allowed attackers to bypass signature verification with malformed ASN1 data.
- Could allow authentication bypass or tampering in dependent apps.
Scope:
- Library has roughly 26 million weekly downloads.
- Fix released in version 1.3.2; urgent updates recommended.

5. Shai Hulud V2: Expanding Supply Chain Attack

[03:26 – 04:00]

Attack Expansion:
- Shai Hulud V2 expanded from NPM to Maven ecosystems.
- Over 830 npm packages compromised.
- Resulted in exfiltration of thousands of secrets (API keys, cloud credentials, GitHub tokens).
- Attackers exploited misconfigurations, impacting 28,000+ repositories.
Defense Advice:
- Rotate keys.
- Audit dependencies.
- Remove compromised packages.
- Hardening development pipelines is advised.

6. Prompt Injections in ChatGPT Atlas Browser

[04:01 – 04:36]

Security Risk:
- OpenAI’s ChatGPT Atlas browser — featuring agentic AI since October 2025 — is susceptible to prompt injection attacks.
Dangers:
- Injections could expose data, execute unauthorized code, or compromise entire networks of agents.
- Agents with tool access/autonomy are increasingly vulnerable as attack surface grows.
Mitigations:
- Apply least privilege principle.
- Use sandboxing.
- Maintain human oversight.
- Treat all untrusted input as hostile.

7. Fragmented Cyber Regulations Burden Mobile Operators

[04:37 – 05:11]

GSMA Report:
- Mobile network operators struggle with costly, overlapping regulations.
- Up to 50% of security teams’ time is spent on compliance instead of active threat mitigation.
- GSMA urges governments to streamline cyber policy frameworks and emphasize internationally coordinated standards.

Quote:
"Overlapping laws and duplicate reporting force operators to spend as much as half their security team's time on compliance. Instead of threat mitigation, the GSMA wants governments to simplify rules."
— Sarah Lane, [04:56]

8. Comcast Fined Over Vendor Data Breach

[05:12 – 05:51]

FCC Action:
- Comcast fined $1.5 million after its third-party debt collector FBCS suffered a breach in 2024.
- Breach exposed 274,000 customers’ information: names, addresses, SSNs, birthdates, account numbers.
Vendor Negligence:
- FBCS waited five months before notifying Comcast, repeatedly downplayed impact.
Settlement Terms:
- Comcast to enhance vendor oversight, conduct biannual risk assessments, and report violations for three years.

Quote:
"Attackers indeed stole names, addresses, Social Security numbers, dates of birth and account numbers. Under the settlement, Comcast has to tighten vendor oversight..."
— Sarah Lane, [05:39]

Memorable Moments

On the continuing evolution of polymorphic threats:
"These techniques resemble early polymorphic malware and could make attacks more adaptive."
— [01:43]
Anthropic incident called a potential inflection point:
"A significant inflection point for US cybersecurity."
— [02:17]

Conclusion & Takeaways

A dynamic snapshot of cybersecurity’s evolving threat landscape, showcasing how outages, AI, supply chains, and regulation create new attack surfaces and operational challenges. The episode underscores the urgency of patching, process improvements, and the need for unified policy approaches in the face of increasingly sophisticated and adaptive threats.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Thursday, November 27, 2025. I'm Sarah Lane. AWS outage botnet smacks 28 countries A Mireille based botnet called Shadow V2 surfaced during October's major AWS outage, exploiting vulnerabilities in IoT devices from multiple vendors. Fortinet says the botnet infected devices across 28 countries and may have been a test run for future attacks, though it vanished once the outage ended. Shadow V2 spreads via a downloader script and behaves similarly to the Lizard Mirais variant, allowing DDoS attacks through a command and control server. LLMs help malware authors evade detection Google's Threat Intelligence Group says attackers are using malware with large language models at runtime to evade detection. Samples include tools that ask models like Gemini or Hugging Face to rewrite code, generate system specific commands or help locate secrets. Researchers warn these techniques resemble early polymorphic malware and could make attacks more adaptive, though they remain detectable today due to their reliance on external AI service calls. Anthropic questioned over Claude espionage the U.S. house Homeland Security Committee has summoned Anthropic CEO Dario Amodei to testify on December 17 about a likely Chinese espionage campaign that used Anthropic's AI Claude to target at least 30 organizations. Lawmakers praised Anthropic for disclosing the attack, but called it a significant inflection point for US cybersecurity. The hearing will focus on how AI, quantum computing and cloud infrastructure are reshaping state sponsored cyber threats. Forge library gets fixed for signature flaw A high severity flaw in the node forge JavaScript cryptography library lets attackers bypass signature verification by crafting malformed ASN1 data that the library incorrectly treated as valid. Palo Alto Networks reported the issue, which could allow authentication, bypass or tampering in apps that rely on nodeforge. The library sees roughly 26 million weekly downloads, a fix shipped in version 1.3.2 and and developers are urged to update immediately. Huge thanks to our sponsor NoBe4. Cybersecurity isn't just a tech problem, it's a human one. That is why KnowBe4's Human Risk Management platform allows you to measure, quantify and actually reduce human risk across your org with AI powered risk scoring, automated coaching and reporting. HRM helps you surface your highest risk users and reduce the risk of data breaches and cyber attacks proactively Ready to move from awareness to action? Request a demo of hrm today@nov4.com Shaihulud V2 Campaign Exposes Secrets the Shai Hulud V2 supply chain attack has expanded from NPM to maven, compromising more than 830 npm packages and exposing thousands of secrets. Malware embedded in these packages backdoors developer machines, harvests API keys, cloud credentials, and GitHub tokens, and exfiltrates them to randomly named public repositories. By exploiting misconfigurations, the attack affects more than 28,000 repositories. Security firms urge rotating keys, auditing dependencies, removing compromised packages, and hardening development pipelines to prevent further spread. Prompt injections muddle ChatGPT's Atlas browser OpenAI's ChatGPT Atlas browser launched back in October. It includes agentic AI capable of autonomous tasks, but this expands the risk of prompt injections. Direct or even indirect injections could expose sensitive data, execute code, or compromise networks of agents. Experts warn that the problem grows as agents gain tool access and autonomy, making attacks more dangerous. Mitigations include strict least privilege access, sandboxing, human oversight and and treating untrusted input as hostile. Patchwork Cyber regs are Driving up Costs the Global System for Mobile Communications association, or gsma, says that fragmented, poorly designed regulations for mobile operators are driving up costs without making networks safer. In a new report, the group says overlapping laws and duplicate reporting force operators to spend as much as half their security team's time on compliance. Instead of threat mitigation, the GSMA wants governments to simplify rules aligned with international standards and shift towards coordinated outcomes focused frameworks. Comcast to pay 1.5 million for vendor breach Comcast will pay a $1.5 million FCC fine after third party debt collector FBCS Will was hacked back in 2024, exposing data on roughly 274,000 customers. FBCS waited five months to notify Comcast and had repeatedly claimed that no Comcast data was affected. Attackers indeed stole names, addresses, Social Security numbers, dates of birth and account numbers. Under the settlement, Comcast has to tighten vendor oversight, run biannual risk assessments and report viol for three years. From all of us at the CISO series, here's wishing you and yours a very happy Thanksgiving. And if you're not in the U.S. well, have a great Thursday. I am Sarah Lane reporting for the CISO series where stuffing is optional but always recommended.